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1 Introduction 

In this paper we focus on some aspects related to modeling and formal verification of embedded systems. Many 
models have been proposed to represent embedded systems HI |2|- These models encompass a broad range of styles, 
characteristics, and application domains and include the extensions of finite state machines, data flow graphs, com- 
munication processes and Petri nets. In this report, we have used a PRES + model (Petri net based Representation 
for Embedded Systems) as an extension of classical Petri net model that captures concurrency, timing behaviour of 
embedded systems; it allows systems to be representative in different levels of abstraction and improves expressive- 
ness by allowing the token to carry information 0. This modeling formalism has a well defined semantics so that it 
supports a precise representation of system. As a first step, we have taken an untimed PRES + model which captures 
all the features of PRES + model except the time behaviour which have reported in earlier report. 

A typical synthesis flow of complex systems like VLSI circuits or embedded systems comprises several phases. 
Each phase transforms/refines the input behavioural specification (of the systems to be designed) with a view to 
optimize time and physical resources. Behavioural verification involves demonstrating the equivalence between the 
input behaviour and the final design which is the output of the last phase. In computational terms, it is required to 
show that all the computations represented by the input behavioural description, and exactly those, are captured by the 
output description. 

Modeling using PRES + , as discussed above, may be convenient for specifying the input behaviour because it 
supports concurrency. However, there is no equivalence checking method reported in the literature for PRES + models 
to the best of our knowledge. In contrast, equivalence checking of FSMD models exist j4). Although Transformation 
procedure from non-pipelined version PRES + to pipelined version PRES + is reported O. As a first step, we seek to 
hand execute our reported algorithm on a real life example and we have to translate two versions of PRES + models to 
FSMD models. 

The rest of the paper is organized as follows. Section |2] presents the definition of PRES + and FSMD models. 
SectionOpresents Proposed algorithm for conversion from an untimed PRES + models to an FSMD models. Section@] 
presents notion of equivalence, abstraction. In this section we have also presented the working principal of an example 
of real life embedded systems. Section [5] verify the equivalence between initial and transformed behaviour using 
FSMD equivalence checking method. Finally, some future works are identified in Section|6] 



2 Brief description of PRES + and FSMD model 

Before the conversion mechanism we discuss the design representation of PRES + models. 

2.1 Description of PRES + models 

A PRES + model is a seven tuple N = (P, Vp, K, T, Ip, O, Mo), where the members are defined as follows. The 
set P = {pi,P2, ■— ,Pm} is a finite non-empty set of places; Vp: the set of variables. A place p is associated with 



a variable v p ; therefore, Vp = {v p \ p G P}. Every place is capable of holding a token having a value. A token 
value may be of any type, such as, Boolean, integer, etc., or a user-defined type of any complexity (for instance, a 
structure, a set, or a record). The set K denotes the set of all possible token types. Thus, K is a set of sets. The set 
T = {t\, *2, i n } is a finite non-empty set of transitions; Ip C P x T is a finite non-empty set of input arcs which 
define the flow relation from places to transitions — "input" with respect to transitions; O C T x P is a finite non 
empty set of output arcs which define the flow relation from transitions to places. A marking M is the assignment of 
tokens to places of the net; hence, M C P. The marking of a place p G P, denoted M(p), is either or 1. For a 
particular marking M, a place p is said to be marked iff M (p) = 1. Mo is the initial marking of the net, depicting the 
places having tokens initially. 

The type function r: P — > K associates every place p G P with a token type. 

The pre-set °t of a transition t G T is the set of input places of t. Thus, °i = {p G P | (p, t) G Ip}. Similarly, the 
post-set t° of a transition t G T is the set of output places of t. So, i° = {p G P (Ap) G O} and Vt G T, Mpi,p2 G 
i°, t(pi) = r(p2) and w pi = i> P2 . The subset V> t = {v p | p G °t} is the set of variables associated with places from 
which input arcs lead to the transition t. Similarly, the pre-set °p and the post-set p° of a place p G P are given by 
°p = {t G T | (t,p) G 0} and p° = {t G T | (p, t) G J p }, respectively. 

For every transition t G T, there exists a transition function f t associated with t; that is, for all i G T, f t : 

r(pi) x t(£>2) x x T (Pa) i~(q), where °t = {pi,P2, ,Pa} and q G t°. The functions / t 's are used to 

capture the functional transforms that take place of the variable associated with the output places of the transitions i.e, 
v g <= f t (v Pl ,v P2 ,...v Pa ). 

A transition t G T may have a guard g t associated with it. The guard of a transition t is a predicate g t : r(pi) x 
r{p2) x .... x T{p a ) — > {0, 1}, where °t = {pi,P2, Pa} over the variable set Vo t . 

2.2 Description of FSMD model 

A finite state machine with data path (FSMD) is a universal specification model. An FSMD is defined as an ordered 
tuple F = (Q, q , I F , V F ,0, /, h) where 

Q = {<?0: ?ij ••••) Qn} is a finite set of control states, qo G Q is the reset state. Ip is the set of primary input 
signals. Vp is the set of storage variables. Of is the set of primary output signals, Op C Vp. f: Q x 2 s — > Q is 
the state transition function, h: Q x 2 s — > U is the update function of the output and the storage variables, where 
S and U are as defined below S = {L U Ep \ L is the set of boolean literals of the form & or b, b G B C V is 
a boolean variable and Ep = {eRO | e G Ea}}\ its represent the set of status expression over Ip U V, where Ea 
represents a set of arithmetic expression over Ip U U of input and storage variables and R is any arithmetic relation. 
R G {=, 7^, >, >, <, <}. ?7 = {x <= e | x G Of U Vf and e G Pa U Ep} represent set of storage or output 
assignment. 

3 Proposed algorithm for conversion from an untimed PRES + models to an 
FSMD models 

Let the input PRES + model be N and the generated FSMD model be P. For simplicity, we assume that all tokens are 
of integer type, i.e r(p) = Z for all p G P. 

The first step of our algorithm computes the following entities in the FSMD model: qo, Ip, Vf, Of, U and S. The 
algorithm then goes on to compute Q: the set of states; /: the state transition function and h: the update function. 
Symbolic simulation of the PRES + model is used to compute these entities starting from the initial marking Mo = go- 

• At each step of the simulation, starting from a present marking M(= q) C P the algorithm enumerates all the 
possible sets of transitions of N from M; for each of these sets of possible transitions, it constructs the next 
state (q + ) of P from the new marking M + of the PRES + model N. 

• Obtain the transition from q to q + in P . 




Figure 1: Places and transitions in a PRES + model 



• For example, consider the scenario given in Figure Q] Let M = {pi,P2,P3} = q\ so the set T q of all transitions 
emanating from the places in M is given by T q = {tx,t2,t3}. The possible sets of transitions are {£1,^2} 
leading to the marking = {p4,P5,P6} = qf and {^1,^3} leading to the marking M% = {pa,P7} = % ■ 
The FSMD transition (q — > q^ ) is associated with the guard condition g and the FSMD transition (q — > q£) is 
associated with the guard condition ->g, i.e, f(q, g) = q^ and f(q, -tg) = q£ . h(q, g) : v P4 <= ft x (v Pl , v P2 ) and 
v Pe = v P5 <= ft 2 (v P3 )- h(q, : v P4 <= f tl { V P l j V P2 

) and v P7 4= ft 3 (v P7 ). 

Algorithm 

Steps: 

Step 1: Given PRES + model 

qo <= Mo; 

Ip <$= { Variables associated with p | p G Mo(p)}; 
Vp •<= {Variables associated with p \ p ^ Mo(p)}; 

II Of k the set of variables associated with places from which no arcs are input // to any transition. 

Therefore 

Of <= {Variable associated withp | p° = </>}; 

// U is obtain from transition function of PRES + model and variable associated // with post set of that 

transition. Therefore, 

U ^ {x ^= i>2) v n ) I t G T, /" is the function associated with t, x = Wto and 

6 v°t, 1 < i < n}; 

// S 1 is obtained from the guard conditions of the PRES + models. Therefore, 

S <= {g t I t G T}; 
Step 2: Q { 9o }; Q new Q; Q+ w 4= 0; 
Step 3: Vq G Q neu) 



Step 3.1:Q new <= Q new - {q}; T q <= {t \ °t e g}; 

r q <= constructSetOfTransitions (T q ); II r q € 2 Tq , the set of possible 

// transitions. 

Qnew = 0' empty set, IIQ new : the set of next states generated 
// depending on q mutually exclusive 
// depending on guard condition 
// associated with member of T q . 

Step 3.2: VT e Tq 

Step 3.2.1: q+ <= {t \ U e T}; Q new Q new U {<?+}; 

Step 3.2.2: Let Gt be the set of guards associated with t S T. In the table 

of the function /", insert entry 

/(g,G T ) = ( z + ' 
Step 3.2.3: Let At be the set of assignments of the form 

{v 4= ft(vi,V 2 ,~. ,V n ) t G T, {«} = t°, {l)i,W 2 , -,«n} =° * 

and ft is the function associated with t }; 
In the table of the function h, insert the entry h(q, Gt) = At', 
II members of At are carried out in parallel 
Step 3.2.4: Q+ ew <= Q+ ew U Ql ew , 
Step 4: // Any new state generated 

Qnew Qnew — Qi 

if Qnew = C exit ; 



else { Q Q U Qnew Qnew ^= Qnew' Qni 

goto Sfep 3 

} 




Figure 2: PRES + model to be converted into FSMD model 




4 Notion of equivalence and Real life example 
4.1 Notion of equivalence between two PRES + models 

In the synthesis process there are a number of refinement phase. System model is transformed in each phases. So the 
validity of this transformation depends on the equivalence between the input behaviour and the output behaviour of 
each phase. Literature (3| has propounded three notion of equivalence - cardinality equivalence, functional equiva- 
lence, and time equivalence; the two PRES + models are totally equivalence iff they satisfies all these equivalence. We 
are dealing with untimed PRES + hence, there is no need to show time equivalence. Two PRES + models Ni and N2 
are cardinality equivalence iff: 

1. There exist a one to one correspondence between the in-ports and the out-ports of Ni and N2 i.e fi n : inP\ f-> 
m?2 and f ou t'. outP± -f-> outP2- 

2. The Initial markings M\ t o and M.2,0 of N\ and N2 are the same. 

3. After execution of N\ and N2 if the tokens are accumulated at out-ports of the each nets, there is a one to one 
correspondence of marking at their out-ports. 

For example in Figure g| inPj = {P a , P b }, outPj = {P e , P f , P g }, mP 2 = {P aa , Pbb} outP 2 = {Pee, Pff, P gg } and 
fin and f out are defined by f in (P a ) = P aa , fin(Pb) = Pbb, fout(Pe) = Pee, fin(Pf) = Pff and f in (P g ) = P gg . Second 
condition also satisfies the two nets. Ni and N2 also satisfies third condition i.e after execution of N\ and N2 all 
out-ports of N\ and ^2 contains token and they are one to one correspondence. Hence two PRES + Ni and N2 are 
cardinality equivalence. 

Two nets PRES + N\ and N2 are functionally equivalent iff: 

1. Ni and N2 are cardinality equivalent, 

2. The token values in out-ports in Ni and N2 are the same. 

For example in Figure [5]7Vi and N2 are cardinality equivalence. If P a of N\ and P aa of N2 contain token whose 
values are 2. then after execution of N\ and N2 the out-port of Ni and N2 contains token whose values are 5. Hence 
two nets are totally equivalence. 
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Figure 4: Cardinality equivalence nets 
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Figure 5: Functional equivalence nets 



4.2 Modeling of a real life example 

Non-pipelined pipelined version of PRES + model for a jammer is reported J3). Transformation technique from non- 
pipelined version of PRES + model to pipeline version of PRES + model also have been reported 0. Non-pipelined 
and pipelined version of PRES + models are shown in Figure[6]and Figure [^respectively. 




p 28 Q 9 etT yp e 



OO P 20 L FFT P 19 getKPS 
25 (§)p 



23 



I ' I 27 [ 



copy 



26 



Figure 6: A non pipelined PRES + model for a jammer 




5 Experimental results 



We have reported a translation algorithm from untimed PRES + model to FSMD model. Hand execution of this trans- 
lation algorithm we have get FSMD model of the jammer from non pipelined PRES + model. The FSMD model is 
given Figure[8]and transition function is given in Table[T] Similarly, the FSMD generated from the pipelined PRES + 
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Figure 8: A non pipelined FSMD model for a jammer 
model is shown in Figure [9] and the state transition function given in Table [2] 



State 


Transition function 


{ 9o, qi > 


in-Copy, Thresold-copy, trigerselect-Copy, opMode-Copy, modParLib-Copy and delayPerLib-copy 


< qu 92 > 


detectEnv 


< 92, 93 > 


detectAmp 


( 93, 94 > 


thresold-keepVal, copy 


< 94, 95 > 


getAmp, pwPricnt 


< 95, 96 > 


getT 


< 96, 97 > 


head 


< 97, 98 > 


f 


< 98, 99 > 


getKPS 


( 98, 99 > 


FFT 


< 98, 99 > 


getPer 


( 99, 9io ) 


getType 


( 9io, 9ii > 


trigSelect-keepVal, getScenario 


< 9n, 9i2 > 


trigSelect-copy, opMode-keepVal, extractN, extractN 


< 912, 913 > 


opmode-copy, delayPerLib-keepVal, modPerLib-keepVal, adjustdelay 


( 913, 914 > 


delayPerLib-copy, modPerLib-copy, doMod 


< 914, 915 > 


sumsig 



Table 1: Transition function for FSMD model obtain from normal PRES + model of a jammer 
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Figure 9: A pipelined FSMD model for a jammer 



State 


Transition function 


( 90, 9i > 


in-Copy O detectEnv 


{ 9i, 92 > 


Thresold-copy O keepVal O detectAmp 


{ 92, 93 > 


in-Copy O getAmp 


{ 93, 94 > 


pwPriCnt O getT head 


{ 94, 95 > 


f O getKPS O FFT O getPer 


{ 95, 96 > 


trigerselect-Copy O keepVal getType O opMode-Copy O keepVal O getScenario 


{ 96, 97 > 


modParLib-Copy O keepVal O extractN and delayParLibCopy O keepValO extranctN O adjustDelay 


{ 97, 98 > 


doMod O sumsig 


{ 98, 99 > 


emit 



Table 2: Transition function for FSMD model obtain from pipelined PRES + model of a jammer 



Here the FSMD equivalence checking is very straightforward. Two versions of FSMDs have only one path and the 
data transformation which have been shown in TableQ]and Table[2]are same. Hence two FSMD models are equivalent. 

6 Plan of Future work 

Carrying out analysis for correctness of technique, complexity analysis, etc. Direct equivalence checking between 
two PRES + models Generalization of FSMD models to timed FSMD models. We will generalize an FSMD model 
to timed FSMD model which can capture data path as well as timing behaviour and Conversion of PRES + models to 
timed FSMD models. 
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